Kubernetes certificate management debugging and configuration. This skill should be used when troubleshooting cert-manager issues, configuring private CA issuers (SelfSigned, CA, Vault), integrating with Traefik IngressRoute TLS, diagnosing Certificate/CertificateRequest/Issuer problems, or debugging webhook connectivity issues.
Kubernetes-native TLS certificate lifecycle management. Automates issuance, renewal, and rotation from private CAs.
When certificates fail, debug the resource chain in order:
Certificate → CertificateRequest → Issuer/ClusterIssuer
First commands to run:
kubectl get certificate,certificaterequest,issuer,clusterissuer -A
kubectl describe certificate <name> -n <namespace>
For detailed debugging steps, see references/troubleshooting-workflow.md.
This skill focuses on self-hosted issuers (no Let's Encrypt):
| Issuer Type | Use Case |
|---|---|
| SelfSigned |
| Bootstrap CA hierarchy, testing |
| CA | Sign with existing CA credentials in Secret |
| Vault | Sign via HashiCorp Vault PKI engine |
# Creates self-signed root, then CA issuer for leaf certs
apiVersion: cert-manager.io/v1